Request Size Limits

Overview

With Tyk, you can apply limits to the size of requests made to your HTTP APIs. You might use this feature to protect your Tyk Gateway or upstream services from excessive memory usage or brute force attacks.

Tyk Gateway offers a flexible tiered system of limiting request sizes ranging from globally applied limits across all APIs deployed on the gateway down to specific size limits for individual API endpoints.

Use Case

Protecting the entire Tyk Gateway from DDoS attacks

You can configure a system-wide request size limit that protects all APIs managed by the Tyk Gateway from being overwhelmed by excessively large requests, which could be part of a DDoS attack, ensuring the stability and availability of the gateway.

Limiting request sizes for a lightweight microservice

You might expose an API for a microservice that is designed to handle lightweight, fast transactions and is not equipped to process large payloads. You can set an API-level size limit that ensures the microservice behind this API is not forced to handle requests larger than it is designed for, maintaining its performance and efficiency.

Controlling the size of GraphQL queries

A GraphQL API endpoint might be susceptible to complex queries that can lead to performance issues. By setting a request size limit for the GraphQL endpoint, you ensure that overly complex queries are blocked, protecting the backend services from potential abuse and ensuring a smooth operation.

Restricting upload size on a file upload endpoint

An API endpoint is designed to accept file uploads, but to prevent abuse, you want to limit the size of uploads to 1MB. To enforce this, you can enable the Request Size Limit middleware for this endpoint, configuring a size limit of 1MB. This prevents users from uploading excessively large files, protecting your storage and bandwidth resources.

Working

Tyk compares each incoming API request with the configured maximum size for each level of granularity in order of precedence and will reject any request that exceeds the size you have set at any level of granularity, returning an HTTP 4xx error as detailed below.

All size limits are stated in bytes and are applied only to the request body (or payload), excluding the headers.

Applying a system level size limit

You can configure a request size limit (in bytes) that will be applied to all APIs on your Tyk Gateway by adding max_request_body_size to the http_server_options element of your tyk.conf Gateway configuration. For example:

"max_request_body_size": 5000

A value of zero (default) means that no maximum is set and the system-wide size limit check will not be performed.

This limit will be evaluated before API-level or endpoint-level configurations. If this test fails, the Tyk Gateway will return an error HTTP 413 Request Entity Too Large.

If you’re using Tyk OAS APIs, then you can find details and examples of how to configure an API or endpoint-level request size limit here.

If you’re using Tyk Classic APIs, then you can find details and examples of how to configure an API or endpoint-level request size limit here.

Using Tyk OAS

The request size limit middleware enables you to apply limits to the size of requests made to your HTTP APIs. You might use this feature to protect your Tyk Gateway or upstream services from excessive memory usage or brute force attacks.

The middleware is configured in the Tyk OAS API Definition. You can do this via the Tyk Dashboard API or in the API Designer.

If you’re using the legacy Tyk Classic APIs, then check out the Tyk Classic page.

API Definition

There are three different levels of granularity that can be used when configuring a request size limit.

• system-wide: affecting all APIs deployed on the gateway
• API-level: affecting all endpoints for an API
• endpoint-level: affecting a single API endpoint

Applying a size limit for a specific API

The API-level size limit has not yet been implemented for Tyk OAS APIs.

You can work around this by implementing a combination of endpoint-level size limits and allow or block lists.

Applying a size limit for a specific endpoint

The design of the Tyk OAS API Definition takes advantage of the operationId defined in the OpenAPI Document that declares both the path and method for which the middleware should be added. Endpoint paths entries (and the associated operationId) can contain wildcards in the form of any string bracketed by curly braces, for example /status/{code}. These wildcards are so they are human readable and do not translate to variable names. Under the hood, a wildcard translates to the “match everything” regex of: (.*).

The virtual endpoint middleware (requestSizeLimit) can be added to the operations section of the Tyk OAS Extension (x-tyk-api-gateway) in your Tyk OAS API Definition for the appropriate operationId (as configured in the paths section of your OpenAPI Document).

The requestSizeLimit object has the following configuration:

• enabled: enable the middleware for the endpoint
• value: the maximum size permitted for a request to the endpoint (in bytes)

For example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

{
    "components": {},
    "info": {
        "title": "example-request-size-limit",
        "version": "1.0.0"
    },
    "openapi": "3.0.3",
    "paths": {
        "/anything": {
            "post": {
                "operationId": "anythingpost",
                "responses": {
                    "200": {
                        "description": ""
                    }
                }
            }
        }
    },
    "x-tyk-api-gateway": {
        "info": {
            "name": "example-request-size-limit",
            "state": {
                "active": true,
                "internal": false
            }
        },
        "upstream": {
            "url": "http://httpbin.org/"
        },          
        "server": {
            "listenPath": {
                "value": "/example-request-size-limit/",                
                "strip": true
            }
        },      
        "middleware": {
            "operations": {
                "anythingpost": {
                    "requestSizeLimit": {
                        "enabled": true,
                        "value": 100
                    }
                }
            }
        }
    }
}

In this example the endpoint-level Request Size Limit middleware has been configured for HTTP POST requests to the /anything endpoint. For any call made to this endpoint, Tyk will check the size of the payload (Request body) and, if it is larger than 100 bytes, will reject the request, returning HTTP 400 Request is too large.

The configuration above is a complete and valid Tyk OAS API Definition that you can import into Tyk to try out the virtual endpoint middleware.

API Designer

Adding the Request Size Limit middleware to your API endpoints is easy when using the API Designer in the Tyk Dashboard, simply follow these steps:

1. Add an endpoint for the path

   From the API Designer add an endpoint that matches the path for you want to limit the size of requests.

   

   

   

2. Select the Request Size Limit middleware

   Select ADD MIDDLEWARE and choose the Request Size Limit middleware from the Add Middleware screen.

   

3. Configure the middleware

   Now you can set the size limit that the middleware should enforce - remember that this is given in bytes.

   

4. Save the API

   Select ADD MIDDLEWARE to save the middleware configuration. Remember to select SAVE API to apply the changes to your API.

Using Classic

The request size limit middleware enables you to apply limits to the size of requests made to your HTTP APIs. You might use this feature to protect your Tyk Gateway or upstream services from excessive memory usage or brute force attacks.

This middleware is configured in the Tyk Classic API Definition. You can do this via the Tyk Dashboard API or in the API Designer.

If you’re using the newer Tyk OAS APIs, then check out the Tyk OAS page.

If you’re using Tyk Operator then check out the configuring the middleware in Tyk Operator section below.

API Definition

There are three different levels of granularity that can be used when configuring a request size limit.

• system-wide: affecting all APIs deployed on the gateway
• API-level: affecting all endpoints for an API
• endpoint-level: affecting a single API endpoint

Applying a size limit for a specific API

You can configure a request size limit (in bytes) to an API by configuring the global_size_limit within the version element of the API Definition, for example:

"global_size_limit": 2500 

A value of zero (default) means that no maximum is set and the API-level size limit check will not be performed.

This limit is applied for all endpoints within an API. It is evaluated after the Gateway-wide size limit and before any endpoint-specific size limit. If this test fails, the Tyk Gateway will report HTTP 400 Request is too large.

Applying a size limit for a specific endpoint

The most granular control over request sizes is provided by the endpoint-level configuration. This limit will be applied after any Gateway-level or API-level size limits and is given in bytes. If this test fails, the Tyk Gateway will report HTTP 400 Request is too large.

To enable the middleware you must add a new size_limits object to the extended_paths section of your API definition.

The size_limits object has the following configuration:

• path: the endpoint path
• method: the endpoint HTTP method
• size_limit: the maximum size permitted for a request to the endpoint (in bytes)

For example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
    "extended_paths": {
        "size_limits": [
            {
                "disabled": false,
                "path": "/anything",
                "method": "POST",
                "size_limit": 100
            }
        ]
    }
}

In this example the endpoint-level Request Size Limit middleware has been configured for HTTP POST requests to the /anything endpoint. For any call made to this endpoint, Tyk will check the size of the payload (Request body) and, if it is larger than 100 bytes, will reject the request, returning HTTP 400 Request is too large.

API Designer

You can use the API Designer in the Tyk Dashboard to configure a request size limit for your Tyk Classic API by following these steps.

1. Add an endpoint for the path and select the plugin

   From the Endpoint Designer add an endpoint that matches the path for which you want to limit the size of requests. Select the Request size limit plugin.

   

2. Configure the middleware

   Set the request size limit, in bytes.

   

3. Save the API

   Use the save or create buttons to save the changes and activate the middleware.

   Note

   The Tyk Classic API Designer does not provide an option to configure global_size_limit, but you can do this from the Raw Definition editor.

Tyk Operator

The process for configuring a request size limit is similar to that defined in section configuring the middleware in the Tyk Classic API Definition. Tyk Operator allows you to configure a request size limit for all endpoints of an API or for a specific API endpoint.

Applying a size limit for a specific API

The process for configuring the request size_limits middleware for a specific API is similar to that explained in applying a size limit for a specific API.

You can configure a request size limit (in bytes) for all endpoints within an API by configuring the global_size_limit within the version element of the API Definition, for example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin-global-limit
spec:
  name: httpbin-global-limit
  use_keyless: true
  protocol: http
  active: true
  proxy:
    target_url: http://httpbin.org
    listen_path: /httpbin-global-limit
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        global_size_limit: 5
        name: Default

The example API Definition above configures an API to listen on path /httpbin-global-limit and forwards requests upstream to http://httpbin.org.

In this example the request size limit is set to 5 bytes. If the limit is exceeded then the Tyk Gateway will report HTTP 400 Request is too large.

Applying a size limit for a specific endpoint

The process for configuring the request size_limits middleware for a specific endpoint is similar to that explained in applying a size limit for a specific endpoint.

To configure the request size_limits middleware you must add a new size_limits object to the extended_paths section of your API definition, for example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin-limit
spec:
  name: httpbin-limit
  use_keyless: true
  protocol: http
  active: true
  proxy:
    target_url: http://httpbin.org
    listen_path: /httpbin-limit
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        use_extended_paths: true
        extended_paths:
          size_limits:
            - method: POST
              path: /post
              size_limit: 5

The example API Definition above configures an API to listen on path /httpbin-limit and forwards requests upstream to http://httpbin.org.

In this example the endpoint-level Request Size Limit middleware has been configured for HTTP POST requests to the /post endpoint. For any call made to this endpoint, Tyk will check the size of the payload (Request body) and, if it is larger than 5 bytes, will reject the request, returning HTTP 400 Request is too large.